Compare commits
23 Commits
release/v1
...
release/v1
| Author | SHA1 | Date | |
|---|---|---|---|
| 0ae551615f | |||
| 88bef50ae7 | |||
| 0d069b4233 | |||
| 60bbe077e8 | |||
| 0b09d5425b | |||
| c9a3015e35 | |||
| abd8a80daa | |||
| 0f76ef91a9 | |||
| 72e2ffd898 | |||
| 4c610c89e1 | |||
| 477921563f | |||
| 0fca0e93ec | |||
| f977f9943c | |||
| f445730a41 | |||
| 76cb808c33 | |||
| e167bd983f | |||
| e4dd91564f | |||
| 3bfde476a6 | |||
| b8676027db | |||
| d36d2c60a3 | |||
| 3d7031bb40 | |||
| fa9b725c77 | |||
| a88987d08d |
@@ -84,23 +84,85 @@ jobs:
|
|||||||
: "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"
|
: "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"
|
||||||
|
|
||||||
keychain_password="$(uuidgen)"
|
keychain_password="$(uuidgen)"
|
||||||
keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
|
previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
|
||||||
mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets
|
if [[ "${previous_default_keychain}" == *"/${SIGNING_KEYCHAIN}"* || ! -e "${previous_default_keychain}" ]]; then
|
||||||
|
previous_default_keychain=""
|
||||||
|
fi
|
||||||
|
developer_dir="$(xcode-select -p)"
|
||||||
|
signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
|
||||||
|
mkdir -p "${HOME}/Library/Keychains"
|
||||||
|
keychain_name="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain"
|
||||||
|
certificate_path="${signing_dir}/appstore-signing.p12"
|
||||||
|
wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
|
||||||
|
profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
|
||||||
|
profile_plist="${signing_dir}/profile.plist"
|
||||||
|
old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
|
||||||
|
xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
||||||
|
mkdir -p "${old_profile_dir}" "${xcode_profile_dir}"
|
||||||
|
|
||||||
printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
|
printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
|
||||||
printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${HOME}/Library/MobileDevice/Provisioning Profiles/Sybil_AppStore_CI.mobileprovision"
|
printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
|
||||||
|
curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
|
||||||
|
openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null
|
||||||
|
profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
|
||||||
|
profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
|
||||||
|
old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
|
||||||
|
xcode_profile_path="${xcode_profile_dir}/${profile_uuid}.mobileprovision"
|
||||||
|
old_named_profile_path="${old_profile_dir}/Sybil_AppStore_CI.mobileprovision"
|
||||||
|
xcode_named_profile_path="${xcode_profile_dir}/Sybil_AppStore_CI.mobileprovision"
|
||||||
|
cp "${profile_path}" "${old_profile_path}"
|
||||||
|
cp "${profile_path}" "${xcode_profile_path}"
|
||||||
|
cp "${profile_path}" "${old_named_profile_path}"
|
||||||
|
cp "${profile_path}" "${xcode_named_profile_path}"
|
||||||
|
|
||||||
security create-keychain -p "${keychain_password}" "${keychain_path}"
|
base_keychains=()
|
||||||
security set-keychain-settings -lut 21600 "${keychain_path}"
|
while IFS= read -r existing_keychain; do
|
||||||
security unlock-keychain -p "${keychain_password}" "${keychain_path}"
|
[[ -z "${existing_keychain}" ]] && continue
|
||||||
security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
|
[[ "${existing_keychain}" == *"/${SIGNING_KEYCHAIN}"* ]] && continue
|
||||||
security import ios/build/secrets/appstore-signing.p12 \
|
[[ ! -e "${existing_keychain}" ]] && continue
|
||||||
-k "${keychain_path}" \
|
base_keychains+=("${existing_keychain}")
|
||||||
-P "${APPSTORE_CERTIFICATES_PASSWORD}" \
|
done < <(security list-keychains -d user | sed 's/[ "]//g')
|
||||||
|
|
||||||
|
security delete-keychain "${keychain_name}" >/dev/null 2>&1 || true
|
||||||
|
rm -f "${HOME}/Library/Keychains/${keychain_name}-db"
|
||||||
|
security create-keychain -p "${keychain_password}" "${keychain_name}"
|
||||||
|
security set-keychain-settings -lut 21600 "${keychain_name}"
|
||||||
|
security unlock-keychain -p "${keychain_password}" "${keychain_name}"
|
||||||
|
security import "${wwdr_certificate_path}" \
|
||||||
|
-k "${keychain_name}" \
|
||||||
-T /usr/bin/codesign \
|
-T /usr/bin/codesign \
|
||||||
-T /usr/bin/security \
|
-T /usr/bin/security \
|
||||||
-T /usr/bin/xcodebuild
|
-T /usr/bin/xcodebuild
|
||||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
|
security import "${certificate_path}" \
|
||||||
|
-k "${keychain_name}" \
|
||||||
|
-P "${APPSTORE_CERTIFICATES_PASSWORD}" \
|
||||||
|
-T /usr/bin/codesign \
|
||||||
|
-T /usr/bin/security \
|
||||||
|
-T /usr/bin/xcodebuild \
|
||||||
|
-T "${developer_dir}/usr/bin/xcodebuild"
|
||||||
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
|
||||||
|
if [[ "${#base_keychains[@]}" -gt 0 ]]; then
|
||||||
|
security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}"
|
||||||
|
else
|
||||||
|
security list-keychains -d user -s "${keychain_name}"
|
||||||
|
fi
|
||||||
|
security default-keychain -d user -s "${keychain_name}"
|
||||||
|
keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)"
|
||||||
|
security find-identity -v -p codesigning "${keychain_path}"
|
||||||
|
security find-identity -v -p codesigning
|
||||||
|
echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
|
||||||
|
{
|
||||||
|
echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
|
||||||
|
echo "SYBIL_SIGNING_KEYCHAIN_NAME=${keychain_name}"
|
||||||
|
echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
|
||||||
|
echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
|
||||||
|
echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
|
||||||
|
echo "SYBIL_SIGNING_DIR=${signing_dir}"
|
||||||
|
echo "SYBIL_OLD_PROFILE_PATH=${old_profile_path}"
|
||||||
|
echo "SYBIL_XCODE_PROFILE_PATH=${xcode_profile_path}"
|
||||||
|
echo "SYBIL_OLD_NAMED_PROFILE_PATH=${old_named_profile_path}"
|
||||||
|
echo "SYBIL_XCODE_NAMED_PROFILE_PATH=${xcode_named_profile_path}"
|
||||||
|
} >> "${GITHUB_ENV}"
|
||||||
|
|
||||||
- name: Build and upload to TestFlight
|
- name: Build and upload to TestFlight
|
||||||
working-directory: ios
|
working-directory: ios
|
||||||
@@ -116,6 +178,12 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
|
||||||
|
security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
|
||||||
|
security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
|
||||||
|
security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
|
||||||
|
security find-identity -v -p codesigning
|
||||||
|
|
||||||
SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
|
SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
|
||||||
|
|
||||||
- name: Locate IPA
|
- name: Locate IPA
|
||||||
@@ -205,4 +273,14 @@ jobs:
|
|||||||
- name: Clean up temporary keychain
|
- name: Clean up temporary keychain
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true
|
if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
|
||||||
|
security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
|
||||||
|
fi
|
||||||
|
rm -f \
|
||||||
|
"${SYBIL_OLD_PROFILE_PATH:-}" \
|
||||||
|
"${SYBIL_XCODE_PROFILE_PATH:-}" \
|
||||||
|
"${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \
|
||||||
|
"${SYBIL_XCODE_NAMED_PROFILE_PATH:-}"
|
||||||
|
security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db}" || true
|
||||||
|
rm -f "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-"*.keychain-db
|
||||||
|
rm -rf "${SYBIL_SIGNING_DIR:-}"
|
||||||
|
|||||||
@@ -5,6 +5,10 @@ FASTLANE_HIDE_CHANGELOG=1
|
|||||||
SYBIL_APP_STORE_APPLE_ID=6759442828
|
SYBIL_APP_STORE_APPLE_ID=6759442828
|
||||||
SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
|
SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
|
||||||
SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
|
SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
|
||||||
|
SYBIL_PROVISIONING_PROFILE_UUID=
|
||||||
|
SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
|
||||||
|
SYBIL_XCODE_CODE_SIGN_IDENTITY=6B74B268C4761720FB2051D01D8BB3E47B55D9F5
|
||||||
|
SYBIL_EXPORT_SIGNING_CERTIFICATE=Apple Distribution
|
||||||
SYBIL_SIGNING_CERTIFICATE_ID=
|
SYBIL_SIGNING_CERTIFICATE_ID=
|
||||||
SYBIL_SIGNING_KEYCHAIN=
|
SYBIL_SIGNING_KEYCHAIN=
|
||||||
|
|
||||||
|
|||||||
@@ -32,6 +32,12 @@ targets:
|
|||||||
INFOPLIST_KEY_UILaunchScreen_Generation: YES
|
INFOPLIST_KEY_UILaunchScreen_Generation: YES
|
||||||
INFOPLIST_KEY_UISupportedInterfaceOrientations_iPhone: UIInterfaceOrientationPortrait
|
INFOPLIST_KEY_UISupportedInterfaceOrientations_iPhone: UIInterfaceOrientationPortrait
|
||||||
INFOPLIST_KEY_UISupportedInterfaceOrientations_iPad: UIInterfaceOrientationPortrait UIInterfaceOrientationPortraitUpsideDown UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight
|
INFOPLIST_KEY_UISupportedInterfaceOrientations_iPad: UIInterfaceOrientationPortrait UIInterfaceOrientationPortraitUpsideDown UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight
|
||||||
|
configs:
|
||||||
|
Release:
|
||||||
|
CODE_SIGN_STYLE: Manual
|
||||||
|
CODE_SIGN_IDENTITY: Apple Distribution
|
||||||
|
"CODE_SIGN_IDENTITY[sdk=iphoneos*]": Apple Distribution
|
||||||
|
PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
|
||||||
|
|
||||||
schemes:
|
schemes:
|
||||||
Sybil:
|
Sybil:
|
||||||
|
|||||||
@@ -14,10 +14,13 @@ git push origin release/v1.10.0
|
|||||||
```
|
```
|
||||||
|
|
||||||
The release job runs on the `xcode` runner label, imports the signing p12 into
|
The release job runs on the `xcode` runner label, imports the signing p12 into
|
||||||
a temporary keychain, installs the App Store provisioning profile, builds and
|
a temporary per-user keychain, makes that keychain the user default for the
|
||||||
uploads the app with fastlane, then creates or updates the matching Gitea
|
duration of the job, installs the App Store provisioning profile in both the
|
||||||
release with the generated IPA as an asset. The job deletes the temporary
|
legacy MobileDevice directory and the Xcode UserData directory used by newer
|
||||||
signing keychain in an `always()` cleanup step.
|
Xcode releases, builds and uploads the app with fastlane, then creates or
|
||||||
|
updates the matching Gitea release with the generated IPA as an asset. The job
|
||||||
|
restores the previous user default keychain and deletes the temporary signing
|
||||||
|
keychain and installed profiles in an `always()` cleanup step.
|
||||||
|
|
||||||
Required repository secrets:
|
Required repository secrets:
|
||||||
|
|
||||||
@@ -42,6 +45,20 @@ certificate and provisioning profile values into the repository secrets listed
|
|||||||
above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
|
above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
|
||||||
default.
|
default.
|
||||||
|
|
||||||
|
Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
|
||||||
|
exact certificate common name used when exporting a local p12 for secrets, while
|
||||||
|
`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the certificate SHA-1 fingerprint
|
||||||
|
that Xcode uses during archive. `SYBIL_EXPORT_SIGNING_CERTIFICATE` defaults to
|
||||||
|
the generic `Apple Distribution` selector used in the export options.
|
||||||
|
|
||||||
|
The Release signing settings are also present in `Apps/Sybil/project.yml` so
|
||||||
|
XcodeGen emits a manually signed App Store archive configuration. CI passes the
|
||||||
|
installed provisioning profile UUID to Fastlane as
|
||||||
|
`SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
|
||||||
|
project before archiving. CI also passes the temporary keychain path as
|
||||||
|
`CODE_SIGN_KEYCHAIN` so Xcode searches the disposable keychain for the imported
|
||||||
|
Distribution identity.
|
||||||
|
|
||||||
If the Apple team has reached the Distribution certificate limit, set
|
If the Apple team has reached the Distribution certificate limit, set
|
||||||
`SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
|
`SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
|
||||||
key exists in the local login keychain before running `create_ci_signing`. The
|
key exists in the local login keychain before running `create_ci_signing`. The
|
||||||
|
|||||||
@@ -19,6 +19,9 @@ TEAM_ID = ENV.fetch("FASTLANE_TEAM_ID", "DQQH5H6GBD")
|
|||||||
APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
|
APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
|
||||||
PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
|
PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
|
||||||
PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
|
PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
|
||||||
|
SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
|
||||||
|
XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "6B74B268C4761720FB2051D01D8BB3E47B55D9F5" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
|
||||||
|
EXPORT_SIGNING_CERTIFICATE = ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"]
|
||||||
IOS_ROOT = File.expand_path("..", __dir__)
|
IOS_ROOT = File.expand_path("..", __dir__)
|
||||||
PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
|
PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
|
||||||
PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
|
PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
|
||||||
@@ -53,6 +56,31 @@ def app_project_settings
|
|||||||
YAML.safe_load(File.read(APP_SPEC)).fetch("targets").fetch(TARGET).fetch("settings").fetch("base")
|
YAML.safe_load(File.read(APP_SPEC)).fetch("targets").fetch(TARGET).fetch("settings").fetch("base")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def apply_release_signing_settings
|
||||||
|
require "xcodeproj"
|
||||||
|
|
||||||
|
project = Xcodeproj::Project.open(PROJECT_FILE)
|
||||||
|
target = project.targets.find { |candidate| candidate.name == TARGET }
|
||||||
|
UI.user_error!("Could not find target #{TARGET} in #{PROJECT_FILE}") unless target
|
||||||
|
|
||||||
|
target.build_configurations.each do |configuration|
|
||||||
|
next unless configuration.name == "Release"
|
||||||
|
|
||||||
|
settings = configuration.build_settings
|
||||||
|
settings["CODE_SIGN_STYLE"] = "Manual"
|
||||||
|
settings["DEVELOPMENT_TEAM"] = TEAM_ID
|
||||||
|
settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
|
||||||
|
settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
|
||||||
|
settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
|
||||||
|
settings["CODE_SIGN_KEYCHAIN"] = ENV["SYBIL_SIGNING_KEYCHAIN_PATH"] if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
|
||||||
|
if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
|
||||||
|
settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
|
||||||
|
settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
project.save
|
||||||
|
end
|
||||||
|
|
||||||
def local_marketing_version
|
def local_marketing_version
|
||||||
app_project_settings.fetch("MARKETING_VERSION").to_s
|
app_project_settings.fetch("MARKETING_VERSION").to_s
|
||||||
end
|
end
|
||||||
@@ -76,7 +104,7 @@ def release_version
|
|||||||
end
|
end
|
||||||
|
|
||||||
def xcode_build_setting(key, value)
|
def xcode_build_setting(key, value)
|
||||||
"#{key}=#{value.to_s.shellescape}"
|
"#{key.to_s.shellescape}=#{value.to_s.shellescape}"
|
||||||
end
|
end
|
||||||
|
|
||||||
def env_line(key, value)
|
def env_line(key, value)
|
||||||
@@ -187,6 +215,67 @@ def recreate_app_store_profile(certificate_id)
|
|||||||
profile_path
|
profile_path
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def signing_identity_p12(p12_path, p12_password)
|
||||||
|
work_dir = File.join(SIGNING_OUTPUT_DIR, "single-identity")
|
||||||
|
FileUtils.rm_rf(work_dir)
|
||||||
|
FileUtils.mkdir_p(work_dir)
|
||||||
|
|
||||||
|
all_pem = File.join(work_dir, "all.pem")
|
||||||
|
stdout, stderr, status = Open3.capture3(
|
||||||
|
"openssl", "pkcs12",
|
||||||
|
"-in", p12_path,
|
||||||
|
"-nodes",
|
||||||
|
"-passin", "pass:#{p12_password}",
|
||||||
|
"-out", all_pem
|
||||||
|
)
|
||||||
|
UI.user_error!("Could not inspect exported p12\n#{stderr}\n#{stdout}") unless status.success?
|
||||||
|
|
||||||
|
records = File.read(all_pem).split(/(?=Bag Attributes\n)/)
|
||||||
|
cert_record = records.find do |record|
|
||||||
|
record.include?("friendlyName: #{SIGNING_CERTIFICATE_NAME}") && record.include?("-----BEGIN CERTIFICATE-----")
|
||||||
|
end
|
||||||
|
UI.user_error!("Could not find #{SIGNING_CERTIFICATE_NAME} certificate in exported p12") unless cert_record
|
||||||
|
|
||||||
|
local_key_id = cert_record[/localKeyID: (.+)/, 1].to_s.strip
|
||||||
|
UI.user_error!("Could not resolve localKeyID for #{SIGNING_CERTIFICATE_NAME}") unless present?(local_key_id)
|
||||||
|
|
||||||
|
key_record = records.find do |record|
|
||||||
|
record.include?("localKeyID: #{local_key_id}") && record.include?("-----BEGIN PRIVATE KEY-----")
|
||||||
|
end
|
||||||
|
UI.user_error!("Could not find private key for #{SIGNING_CERTIFICATE_NAME}") unless key_record
|
||||||
|
|
||||||
|
cert_path = File.join(work_dir, "identity.cer.pem")
|
||||||
|
key_path = File.join(work_dir, "identity.key.pem")
|
||||||
|
File.write(cert_path, cert_record[/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m])
|
||||||
|
File.write(key_path, key_record[/-----BEGIN PRIVATE KEY-----.*?-----END PRIVATE KEY-----/m])
|
||||||
|
|
||||||
|
root_cer = File.join(work_dir, "AppleIncRootCertificate.cer")
|
||||||
|
wwdr_cer = File.join(work_dir, "AppleWWDRCAG3.cer")
|
||||||
|
root_pem = File.join(work_dir, "AppleIncRootCertificate.pem")
|
||||||
|
wwdr_pem = File.join(work_dir, "AppleWWDRCAG3.pem")
|
||||||
|
chain_pem = File.join(work_dir, "chain.pem")
|
||||||
|
run_silent("curl", "-fsSL", "https://www.apple.com/appleca/AppleIncRootCertificate.cer", "-o", root_cer, error_message: "Could not download Apple root certificate")
|
||||||
|
run_silent("curl", "-fsSL", "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer", "-o", wwdr_cer, error_message: "Could not download Apple WWDR G3 certificate")
|
||||||
|
run_silent("openssl", "x509", "-inform", "DER", "-in", root_cer, "-out", root_pem, error_message: "Could not convert Apple root certificate")
|
||||||
|
run_silent("openssl", "x509", "-inform", "DER", "-in", wwdr_cer, "-out", wwdr_pem, error_message: "Could not convert Apple WWDR G3 certificate")
|
||||||
|
File.write(chain_pem, File.read(wwdr_pem) + File.read(root_pem))
|
||||||
|
|
||||||
|
single_p12_path = File.join(work_dir, "appstore-signing.p12")
|
||||||
|
run_silent(
|
||||||
|
"openssl", "pkcs12", "-export",
|
||||||
|
"-inkey", key_path,
|
||||||
|
"-in", cert_path,
|
||||||
|
"-certfile", chain_pem,
|
||||||
|
"-name", SIGNING_CERTIFICATE_NAME,
|
||||||
|
"-out", single_p12_path,
|
||||||
|
"-passout", "pass:#{p12_password}",
|
||||||
|
error_message: "Could not create single-identity p12"
|
||||||
|
)
|
||||||
|
FileUtils.cp(single_p12_path, p12_path)
|
||||||
|
ensure
|
||||||
|
FileUtils.rm_rf(work_dir) if present?(work_dir)
|
||||||
|
end
|
||||||
|
|
||||||
def app_store_connect_key_options
|
def app_store_connect_key_options
|
||||||
key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"]
|
key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"]
|
||||||
issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"]
|
issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"]
|
||||||
@@ -292,6 +381,7 @@ platform :ios do
|
|||||||
end
|
end
|
||||||
|
|
||||||
UI.user_error!("Could not find exported p12 at #{p12_path}") unless File.exist?(p12_path)
|
UI.user_error!("Could not find exported p12 at #{p12_path}") unless File.exist?(p12_path)
|
||||||
|
signing_identity_p12(p12_path, p12_password)
|
||||||
|
|
||||||
profile_path = recreate_app_store_profile(cert_id)
|
profile_path = recreate_app_store_profile(cert_id)
|
||||||
UI.user_error!("Could not resolve generated provisioning profile path") unless present?(profile_path) && File.exist?(profile_path)
|
UI.user_error!("Could not resolve generated provisioning profile path") unless present?(profile_path) && File.exist?(profile_path)
|
||||||
@@ -340,15 +430,17 @@ platform :ios do
|
|||||||
UI.user_error!("Build number must be a positive integer") unless build_number.match?(/\A[1-9]\d*\z/)
|
UI.user_error!("Build number must be a positive integer") unless build_number.match?(/\A[1-9]\d*\z/)
|
||||||
|
|
||||||
sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")
|
sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")
|
||||||
|
apply_release_signing_settings
|
||||||
|
|
||||||
xcode_args = [
|
xcode_args = [
|
||||||
xcode_build_setting("MARKETING_VERSION", version),
|
xcode_build_setting("MARKETING_VERSION", version),
|
||||||
xcode_build_setting("CURRENT_PROJECT_VERSION", build_number),
|
xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
|
||||||
xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
|
]
|
||||||
xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
|
if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
|
||||||
xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
|
xcode_args << xcode_build_setting("CODE_SIGN_KEYCHAIN", ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH"))
|
||||||
xcode_build_setting("CODE_SIGN_IDENTITY", "Apple Distribution")
|
xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
|
||||||
].join(" ")
|
end
|
||||||
|
xcode_args = xcode_args.join(" ")
|
||||||
|
|
||||||
ipa_path = build_app(
|
ipa_path = build_app(
|
||||||
project: PROJECT_FILE,
|
project: PROJECT_FILE,
|
||||||
@@ -366,6 +458,7 @@ platform :ios do
|
|||||||
provisioningProfiles: {
|
provisioningProfiles: {
|
||||||
APP_IDENTIFIER => PROFILE_SPECIFIER
|
APP_IDENTIFIER => PROFILE_SPECIFIER
|
||||||
},
|
},
|
||||||
|
signingCertificate: EXPORT_SIGNING_CERTIFICATE,
|
||||||
teamID: TEAM_ID,
|
teamID: TEAM_ID,
|
||||||
manageAppVersionAndBuildNumber: false,
|
manageAppVersionAndBuildNumber: false,
|
||||||
uploadSymbols: true,
|
uploadSymbols: true,
|
||||||
|
|||||||
Reference in New Issue
Block a user